Introduction
In our previous blog “A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud,” Yuri Diogenes emphasized the importance of proactive security posture management and outlined a successful organizational structure for security teams. He delved into the core elements of posture management, including monitoring secure score improvement, enforcing governance rules, and engaging in proactive hunting.
Building on that discussion, we now turn our attention to the vital aspect of proactive hunting in this follow-up article. Our goal is to provide technical insights and practical tips for reducing the attack surface and minimizing the risk of compromise through proactive hunting in cloud environments.
This article will demonstrate how you can utilize Microsoft Defender for Cloud's Security Explorer to conduct proactive hunting in cloud environments with maximum efficiency.
Use Case Scenarios
Scenario 1 - Azure Virtual Machine exposed to a public network such as the Internet with high vulnerabilities and loose permissions.
As cloud technology continues to advance, virtual machines (VMs) face increasing threats from public networks like the internet. This presents a major challenge, especially considering that VMs frequently host sensitive applications and data. To address this risk, it is vital for organizations to identify vulnerabilities in their VMs and ensure they are not accessible from the internet.
For this fictitious scenario, let us use a company that developed a popular cloud-based application used by millions of users around the world. The application stores sensitive information, such as login credentials and financial data, and must always remain secure. However, as the application gains widespread adoption, the security team is faced with a new challenge.
The servers hosting the application are now exposed to the internet and vulnerable to a variety of security threats. If an attacker successfully exploits these vulnerabilities, they could move laterally to other resources such as key vaults, databases, and storage accounts, potentially resulting in a devastating data breach.
The team must take proactive steps to identify and mitigate these risks before they can be exploited.
To address this risk, the security team decides to take a proactive approach and evaluate their environment for potential security risks. They turn to Defender for Cloud and its Cloud Security Explorer capability, which gives them the ability to assess their cloud environment's overall security posture, including the configuration of their servers.
The security engineer builds a query to identify all servers that are exposed to the internet and vulnerable to remote code execution (RCE) (Figure 1 [1], [2], [3]). To get a complete understanding of the security posture of these internet-exposed virtual machines, the engineer expands the query to check if any of the virtual machines have a system identity with permission to access Azure Key Vaults, SQL Databases, and Storage Accounts (Figure 1 [4]).
This comprehensive view of the virtual machine's security helps the company to remediate any risks before they are exploited, preventing data breaches and unauthorized access.
With these measures in place, the company can have peace of mind knowing their sensitive information is protected.
In the following picture you can see and follow the query mentioned above, and the results produced by the search (Figure 1 [5]).
The output from the query in Defender for Cloud - Cloud Security Explorer provides more than just a list of virtual machines that match the criteria. The results allow the engineer to thoroughly examine each record and gain valuable security insights related to the virtual machine.
By selecting a record, a side panel will expand, offering a deep dive into the details of the virtual machine. This includes all resources attached to the result (Figure 2 [1]), as well as information about the environment (such as the cloud provider and resource group, if the environment is Azure) (Figure 2 [2]). Additionally, the network insights related to the virtual machine's exposure to the internet (Figure 2 [3]), as well as any vulnerabilities found on the server and their potential for remote code execution, can be reviewed (Figure 3 [1]).
Importantly, the results also provide information regarding the Key Vault, SQL DB, or Storage Account the Server has access to (Figure 3-1 [1]).
Here a graphical representation of the process executed during the risk analysis for this use-case:
Scenario 2 - AWS EC2 Instance Virtual Machine exposed to a public network such as the Internet with high vulnerabilities such as RCE, OMI, OpenSSL.
Now let us explore a company that operates an e-commerce platform where they store sensitive customer information, such as credit card numbers and addresses, on their AWS cloud servers. To safeguard this information, the security team chose to encrypt all customer-server communications using OpenSSL. However, the team recently learned of critical vulnerabilities in OpenSSL, namely CVE-2022-3602 and CVE-2022-3786, which could result in a Denial-of-Service attack if a maliciously crafted certificate were sent to a server during client authentication. To compound the issue, the team also discovered that their e-commerce platform could be vulnerable to Remote Code Execution, thanks to an outdated version of OMI (Open Management Infrastructure) being used to manage the servers.
The security team must proactively search for any servers that could be impacted by the identified security risks. Fortunately, they have recently onboarded their AWS account into Defender for Cloud, utilizing its native multicloud connector and enabled Defender for CSPM. This allows them to leverage Defender Cloud Security Explorer for their search and assess their EC2 instances for exposure to the aforementioned security risks.
By utilizing Defender Cloud Security Explorer, the security team can quickly identify VMs that are susceptible to security threats and attacks. With these proactive measures in place, the security team can effectively prevent data breaches, unauthorized access, and other security incidents from occurring.
The query begins with the resource "EC2 Instance" (Figure 4 [1]) and the filter that evaluates if any servers are exposed to the internet (Figure 4[2]). To assess the OpenSSL and OMI vulnerabilities, the query checks for vulnerabilities with the specified CVE Identifiers (Figure 4 [3]):
- OMI: CVE-2021-3845; CVE-2021-38647; CVE-2021-38648; CVE-2021-38649
- OpenSSl: CVE-2022-3786; CVE-2022-3602
Fortunately, the results showed that no servers were found to be exposed to these security risks. If any vulnerabilities were identified, the security team could utilize the result insights to mitigate each risk by following the recommendations provided in the insights.
Here a picture of the query was built for this use-case:
Here a graphical representation of the process executed during the risk analysis for this use-case:
Scenario 3 - Shifting security to the left - GitHub repositories exposing secrets and code vulnerable to exploits
As a software engineer, you understand the crucial role you play in maintaining the security of code stored in your GitHub repositories. With the widespread reliance on open-source code, security vulnerabilities can be easily exploited and cause significant harm.
Alarmed by the potential security risks posed by your repositories, the security team launches a proactive search for any vulnerabilities and misconfigurations. To address these risks, the team has decided to implement the following recommended measures:
- Enable Dependency Vulnerability Scanning: To keep track of any vulnerabilities in dependencies and quickly receive alerts about any potential security issues, giving the team the opportunity to resolve them before they are exploited.
- Turn on Dependabot Scanning: This automatically creates pull requests to update dependencies when new vulnerabilities are found, ensuring the code remains secure.
- Enable Code Scanning: To detect any security issues in the code and identify potential security vulnerabilities, giving the team the chance to address them before attackers discover them.
- Enable Secret Scanning: To detect any secrets that may have been exposed in the repositories and take appropriate action to secure them before they fall into the wrong hands.
The security team turns to Defender for Cloud – Cloud Security Explorer to search for the above security risks and misconfigurations. The query starts with GitHub as the resource of focus (Figure 5 [1]), followed by checking if any repositories are exposed publicly (Figure 5 [2]). Then, the query searches for “Unhealthy” recommendations to evaluate if any of the following are found (Figure 5 [3]):
- Code repository should have dependency vulnerability scanning finding resolved
- Github repository should have dependabot scanning enabled
- Github repository should have code scanning enabled
- Github repositories should have secret scanning enabled.
The result of this query listed two GitHub repositories exposed publicly not meeting some of the recommendations (Figure 5 [4]).
The security team exams the results (Figure 6) and initiates a plan of actions to mitigate the risk.
By implementing these measures, the team ensures that the code stored in their GitHub repositories remains secure and protected against potential security risks.
Here a picture of the query was built for this use-case:
Here a graphical representation of the process executed during the risk analysis for this use-case:
Conclusion
In conclusion, proactive hunting is a vital aspect of cloud security posture management and an effective way to reduce the attack surface and minimize the risk of compromise. With the increasing use of cloud technology, it is essential to have a robust security solution in place, and Microsoft Defender for Cloud - Cloud Security Explorer is a valuable capability to achieve this goal. With its comprehensive data collection and easy-to-use query feature, engineers can quickly detect potential security risks and exposures in their cloud environment, ensuring a more comprehensive view of their security posture and enabling a proactive approach to threat detection and response. By following the best practices and strategies outlined in this article, organizations can significantly enhance their cloud security posture and mitigate security risks in their cloud environments.
Additional Resources
If you are using Attack Path and Cloud Security Explorer and want to share your feedback with the Defender for Cloud Team, please e-mail us directly from here. You can also use the resources below to learn more about these capabilities:
- Cloud security explorer and Attack path analysis (Video)
- Identify and remediate attack paths
- Microsoft Defender for Cloud Security Posture Management
Reviewers
Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud
Meital Taran- Gutman, Principal GPM (Defender for Cloud)
Denis Mizetski, Principal PM Lead (Defender for Cloud)
David Trigano, Senior PM (Defender for DevOps)
Tal Rosler, Senior PM (Defender for Cloud)